Documentation

Other

Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

macOS 10.14.4 work with AD : Keychain lost after updating password out of mac

I was told Apple finally fixed AD password syncing issues on macOS 10.14.4 several days ago, which I thought is great. (https://support.apple.com/en-us/HT209149#macos10144)

However I confirmed a new issue while using 10.14.4: If I change my AD password out of Mac, and use new password to login, normally it will require me to input old password to update keychain. This time, it did notice me about it, but no step to input the old password even I choose "Update Keychain Password", then it create a new keychain for me. As my company need cert to connect wifi, this is pretty annoying.

If anyone have same situation, you can try recovery your keychain by finding it in ~/Library/Keychains/XXXXXXX

Everything worked perfectly if I change password in mac, which IT department not recommend.

Appreciate a lot if anyone can offer Apple's explanation (links or mail reply) about it. A solution will even better.

Apple has confirmed that this is a known issue / bug / defect of 10.14.4.
I'd suggest to raise an Enterprise ticket with Apple and add your +1 to this defect. So far I have no bug ID, but you can add your case to ours: 20000049607662

What I have never understood about this whole process, is the need to have an end user enter their old Active Directory created keychain password to change to their new Active Directory created keychain password, and not lose any of their keychain data. As someone that works in a place in a Helpdesk capacity. I must assist users in changing their forgotten passwords. The need for an end user to know and enter their old password, defeats the purpose of helping an end user change to a new password, if they cannot remember their old password. Which was the reason that they called the Helpdesk for help in the first place.

@ClassicII , Apple told me that they don't disclose internal bug IDs... but as this is a known issue, you should be able to just set your +1 on this issue. But they also confirmed that this is not fixed in 10.14.5 - let's hope for 10.14.6...